Archive for category Password Security
Hacking Lotus Domino
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Vulnerabilities on July 12, 2010
IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.
To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:
Nmap –sV 172.16.1.0.24 –p 80
Nmap scan report for 172.16.1.7
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80 open http Lotus Domino httpd
Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.
You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.
Usually when you install Lotus client you need to connect as a user to the server, and a screen for authentication appears to make non experienced hackers terrified, but if you concentrate and check everything slowly you will find the gaps and admin faults.
First you start by learning the important resources on the server, on Domino most important files are with the .NSF extension, so we have:
/Names.nsf File in Domino server contains file name and path (Most important database in the Domino environment)
You can find other files using DominoHunter which provides you a list on all .nsf files. But what we need is the names.nsf database which includes all mail addresses, users information, users operating systems, security applications on Lotus notes and other important information.
What is interesting that on most Domino servers this file can be accessed by anonymous users =-).
Now the kind of information that we will need take care of:
1. List of user’s login so we can guess there passwords also which user account is the admin.
2. All information can be used in the social engineering to trick non trained personal.
3. In the names.nsf you will find also OS version as lotus notes client version this will be very helpful to find the 0-days for all users and application and OS. Here an attacker can use even vulnerability in Internet explorer to compromise some accounts.
Gathering information is not all what is possible – in 2005 there someone discovered a vulnerability allows an attacker to get Internet users password hash. The vulnerability is not difficult to exploit because all users hash passwords are stored in Hidden HTTPPassowrd or dspHTTPPassword files, depending on the version.
What is strange that this vulnerability remains unfixed.
Now the number of users can be hundreds or thousands, so you will need to have all hashes in automatic way. On 2007 an exploit has been released for Dumping Password Hash Raptor_dominohash that allows downloading of all users’ hashes.
DominoHashBreaker is also an important tool that tries to find the clear text form of the password by utilizing a dictionary attack. The goal is to make it possible for an administrator to check the robustness of the passwords of its users.
But for the best results, John the Ripper with Jumbo patch – which adds modern password hashes – and all you need is give HASH.txt to JohnTheRipper (in the form username:hash). If you find one account password you will be able to know the password policy for all users and will not consume much time to have all passwords list. And these passwords are for Domino web access.
If we have the administrator password account, then its ok, if not we should repeat the previous steps. Something interesting is that the admin password will allow attacker to open webadmin.nsf (servername/webadmin.nsf) this is for administrating Lotus Domino webserver interface, and by getting access to this resource you can add, remove or modify users.
On domino there is another protocol which is NRPC using port 1352, and this allows users to have client Lotus notes and Lotus designer, and the client should have a certificate to approve his identity with extension ID. There is also a password authentication mechanism.
Passwords are used to decrypt the ID file, so to have access to any Domino account we will need 2 things: an ID file and password for this file. This is more complicated than the Web access but it is always possible.
To get the ID file you can exploit a vulnerability in Lotus Domino where the server keeps a copy of the ID stored on the server, so if you have users login as shown using names.nsf. you will have the ID for the password there is 3 tools that can search for the ID password which is ( ID Password recovery, Lotus Notes Password Recovery or Notes Password Recovery by following this link ,all three tools for free.
This post presents a clear idea about the different configuration faults that can exist in a Domino server with a small vulnerability that can allow an outsider to take full control of the server and manipulate a corporation’s very sensitive information.
Reference: http://dsecrg.com/pages/pub/show.php?id=2
make sure you subscribe to my RSS feed!
Password Cracking Arrives to the Cloud
Posted by Mourad Ben Lakhoua in News, Password Security on November 4, 2009
David Campbell a security consultant made a study regarding password safety. the research has been based on the cost evaluation of cracking password with a paid service by Amazon EC2 web service.
The security expert found that for cracking 12 character password that is based on lowercase letters “a” and “z”, hackers would need to pay about 1,5 million dollars. While for 11 character the password costs 60 thousands dollars, and for 10 he can get the password for just 2300 dollars.
Mixing the password with numbers and letters will enhance the protection measures but not as needed. For example the coast to crack 10 combined characters alphanumeric is less than 60 thousand dollars while 11 characters hacker should spend 2.1 million. Adding special characters (!@#$%) will make the price jump for more than 106 thousands for 8 character.
Cloud Computing has significantly reduced the coasts for purchasing and maintaining expensive equipment but its time to invest a part of the IT budget on solid encryption solution like two factor authentication or password managing solution, to eliminate different threats for password guessing and man in the middle attack.
make sure you subscribe to my RSS feed!
Computer’s could get owned by a USB device
Posted by Mourad Ben Lakhoua in Operating System, Password Security, Pentesting on September 21, 2009
USB Switchblade is a tool that can help you to be a king on the enemies’ land. Hack5 USB Switchblade is the second name for this tool but this does not change anything.
The project consists of several software packages that do a great job for password grabbing and pentesting:
Dump SAM is made for dumping the windows Security Account Manager.
IE/Firefox Password Grabber makes a good job for grabbing browser passwords.
VNC-Service is a hidden installer that helps to add users and monitor the network activity on the victim machine.
On the official sites there are several techniques for using this tool:
1. Max Damage Technique just Plug your U3 Drive in any computer with XP/2000/2003 (Requires Administrator account) and Wait about 20-45 seconds Eject U3 Drive, Go to “Run” in the start menu, Type in “X:\Documents\logfiles”(X = Flash Drive Letter) Press enter, Open the text file with the computer name you got into and you will find what you are looking for.
2. Amish Technique here you start by Downloading the Amish Payload 1.0, Extract the payload to the root of your flash drive, Plug your flash drive in to any computer, Go to “My Computer” double-click (autorun) the USB Drive, Select the “Open Files On Folder” option when inserted into a target computer, Wait about 20-45 seconds, Eject the flash drive, Go to “Run” in the start menu. Type in “X:\Dump”(X = Flash Drive Letter), Press enter , Open the text file with the computer name you got into and that’s it.
3. Gandalf’s technique: the advantage of this technique that you can use it on a USB drive, iPod, local computer, it doesn’t matter you just need to run start.vbs and then you can find the passwords and logs at $backup/%computername%.7z.
This brings a very important issue in the corporate security, disabling the usb ports is vital for the Information system but companies also need to pay attention on educating users about the potential security risks posed by USB flash drives. On the other hand it can be sometimes very useful 
.
make sure you subscribe to my RSS feed!
Password Auditing Tools
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Tools on August 15, 2009
VPN (Virtual private network) is often used for securing communication over the public network, many security specialists advice to use it in the public Wi-Fi to encrypt all traffic and make it impossible for outsider to sniff information or to provide a remote access to an offsite user, but after implementing the VPN connection there is a testing phase for user’s authentication.
Now the question is who said that cracking password for VPN account impossible?
THC group has proved that this is reachable by using THC PPTP bruter. This software is a brute force for PPTP protocol (1723/TCP), this tool works only if the authentication servers are using Microsoft windows Chap v2 and can be used for Windows and Cisco gateways.
The good point in bruter that you can attempt up to 300-400 passwords depends on packets delivery speed. So the operation time can depends on how many bytes long is your password (8 or less is very risky) and the network speed, by hours we can try 14 million password per hour (but this can takes less time if you know the password policy used by the organization). The only disadvantage of pptp-bruter is that we need some third-party libraries to compile the program.
Microsoft SQL servers are also using authentication and after implementing the data base infrastructure, checking user accounts security is a must. Piggy 1.0.1 is a good tool for brut forcing and auditing passwords on Microsoft SQL server. The good point on Piggy that you can check multiple servers at the same time , after NMAP scans for the available services on the network it provides IP addresses of the servers with 1433 (TCP) port and piggy automatically starts to audit the user servers password with a very big possibility to find those accounts by using dictionary password attack.
Finally here is some online useful links for cracking hashes:
http://passcracking.com/
http://www.hashchecker.com/index.php
http://www.milw0rm.com/
http://www.gdataonline.com/
http://www.md5hood.com/
and here brute force on Python and Perl
make sure you subscribe to my RSS feed!
Vulnurability makes eBay Developers Program accounts at Risk
Posted by Mourad Ben Lakhoua in Internet, News, Password Security, Vulnerabilities & attacks, Web Security on August 13, 2009
eBay security specialists asked developer program members to change their passwords. This is due to a new vulnerability discovered that can allow an attacker to intercept important accounts details.
Kumar Kandaswamy eBay Developers program manager has reported on the guidance published that the company has found a way in which an outsider can access users account information at eBay Developers program, so as a preventive measures it is highly recommended to change all user passwords.
The vulnerability does not allow attackers to grab financial information such as credit card or bank account information or Social Security numbers.
But in 2007 a hacker called Vladuz has managed to bypass all the protection measures and to obtain eBay unauthorized accesses which are intended to be just for employees as a result the hacker was arrested in Romania.
eBay developers program helps users to work with its API and develop online application for web resources. Now when you click join and you want to select a new password there is a strict safety standards for creating password “ Your password must be 8 characters or longer, and contain at least 1 upper case letter (A-Z), 1 lower case letter (a-z), 1 number (0-9), and 1 special character (!@#$%*+-_.?). For example, Cool_devel0per.” That’s good for user’s security .
make sure you subscribe to my RSS feed!
Brute Force & password recovery tools
Posted by Mourad Ben Lakhoua in Password Security, Tools on July 29, 2009
There are an immense number of tools for Brute force and password recovery that have been created to help security specialist in pentesting and evaluate application and system password level security.
Let’s start with Brutus AET2, from 2000 there were no update for this tool. But this tool appears as one of the fastest and the most modern tool for internet protocols brute forcing. If you need to test passwords for HTTP (website that uses authentication with Login and password) like forums, emails account, file and telnet servers Brutus are the good decision.
For working with this tool you just add the target IP address and service port, select the protocol and number of threads desired (Max 60) and timeout if you are also looking to hide yourself during the operation you can use Socks or proxy.
This tool uses the dictionary attack or by defining a word list file. If you will use the word list you just can add some words that you doubt the administrator can use so it is a universal tool for HTTP, FTP, POP3 and Telnet.
L0phtcrack this is used for auditing windows system password you can find more about their latest release LC6. L0phtcrack is not free anymore while you can replace it with Pwdump in which you can get the same result.
THC-Hydra is the ideal tool for cracking authentication this tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. This all plus that it supports more than 30 protocol among them TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY, VNC, POP3, IMAP,NNTP, ICQ, SAP/R3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2, SNMP, Cisco AAA.
You can find this tool in the Backtrack Live CD.
Now a day many application uses some restriction for the login attempts, so after several attempts failure your IP will be banned, TSGrinder is the first production Terminal Server brute force tool the most interesting in TSGrinder that you can specify how many times to try a username/password combination within a particular connection and if you are using a proxy that will change your IP each connection after sometime you can pass the authentication phase.
It is important to note that all programs are used just for educational purposes.
make sure you subscribe to my RSS feed!
L0phtcrack 6: the old guard is back!
Posted by Mourad Ben Lakhoua in Best Practices, Password Security, Pentesting on June 1, 2009
After more than three years since Symantec stopped the support and development of L0phtcrack the tool that provided a titanic opportunity for passwords auditing and recovery.
Here comes yesterday the same team with the new version L0phtcrack 6.
As the project rights being reacquired by the original authors from Symantec it was possible for them to continue developing this utility. In the last five years many things have been changed in the operating system security so they improved some features like the Support for x64 processors and the latest releases from Microsoft (Vista, XP and windows 7),Ubuntu and others.
I used the LC4 and LC5 and they worked perfectly to recover lost password that are less than 14 characters so update your corporate password policy and make sure that you meet password security best practices.
subscribe to my RSS feed!
Hackers 'can attack through staff password'
Posted by Mourad Ben Lakhoua in Password Security on May 3, 2009
Companies are concerned that their employees are jeopardising their network security by not being careful about their passwords.
That’s according to Graham Cluley, senior technology consultant at Sophos, who observed that many people use the same password for all sites they visit.
This could result in an increased risk of phishing and viruses being spread, he added.
‘Many corporations are worried about hackers gaining access to their employees password, and many people base their password on the name of their pet, maybe the name of their girlfriend or wife, maybe their favourite football team – the kind of personal information that can be put on these sites,’ Mr Cluley noted.
‘If they’re using the same password for everything, chances are they are also using that password inside their corporation.’
The comments follow a recent survey by Sophos, which found that 63 per cent of systems administrators in organisations are concerned about workers putting too much information on social networking websites.
[Source: British Computer Society]
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Password Security category.
SUBSCRIBE
Latest Comments